Block USB device when inserted and popup confirmation to select if it should be enabled


I would like to have a small app to be installed on my windows 7 (and win 8) to "listen" if USB device is  inserted and if so, it should check the device type. If it is a HID Keyboard Device it should be blocked and popup a confirmation dialog if it might be enabled.

Is this possible or will the WM_DEVICECHANGE event be raised after it is already enabled to type to the system?
LVL 12
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

>>Is this possible or will the WM_DEVICECHANGE event be raised after it is already enabled to type to the system?

Yes and no. Yes, WM_DEVICECHANGE will be sent when the device is already enabled. No, you can't block that at user level, In order to achieve what you want, you will need a driver that addresses this issue at a way lower level.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HugoHiaslAuthor Commented:
With the upcoming BadUSB attack it could be a good idea to implement something like this as a countermeasure.

Unfortunately it will go beyond my experience as c# developer :-(

Thanks for your answer...
Well, it's not that far out, check out ("Windows Driver Kit Samples Pack") where you will find a "KMDF HID Filter" among other samples, which should serve well as a starting point.
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

So it badusb-fear what this thread is about...
Please describe your attack scenario. Normally, you can protect against it very well if you use GPOs that disallow device installations of any kind and make those only possible for administrators.
HugoHiaslAuthor Commented:
That's right. It is the BadUSB-threat.

I know about the GPO even when I honestly did not take them into account.  I think they wont work for the given scenario:

Imagine a big company. The employees are  working with notebooks. They use flexible seating. So when an employees comes to the company they plug the notebook into a docking station.

They work with very large file, so they need to use usb-sticks. Even for transfer to client machines.

GPO could now disable device installation. But the they would not be able to use at home or in the company external keyboards or mouse devices. They also need to be able to plug in and use the usb memory sticks.

In my imaginary solution there is piece of software that checks (whenever a USB device is plugged in) for the device type. If it is HID Keyboard, it is automatically disabled and a window pops up warning the user that a keyboard is plugged in.

There are 2 options:
1. The user really plugged in a USB Keyboard and wants it to be activated, then he needs to be able to activate it. Probably the tool only delays activation. User gets warned and can take action if needed.

2. The user did not plug in a keyboard. He gets the warning and is able to remove the plugged in device immediately or he can keep the keyboard device disabled by button click.
That is no attack scenario. Please describe what you are trying to protect against, how would an attacker proceed?
HugoHiaslAuthor Commented:
The attacker hacks the usb stack of a memory stick.

When he inserts it into a computer, the memory stick is recognized as normal memory stick and as well as a HID Keyboard device which is automatically enabled and can enter malicious commands to the system.  

In a TV report in Germany they showed this kind of attack. The malicious stick entered commands to download a tool from the internet, started it and the attacker was immediately able to do what he want with the computer. I don't know if they opened a ssh tunnel or telnet or a specific tool. But as soon as a person can directly enter commands to a computer, he has a lot of control over it.

Who knows... Probably some secret services use attack mechanisms like this already and none of us knows.

No Anti-Virus software can prevent this because it is a real input device like the main keyboard is also.
You now describe the concept of badusb, still you don't answer my question.
What I expected could look like this: " my users often leave their pcs unattended and unlocked, how can I prevent that some fellow worker plugs his modified USB device into the machine and it executes arbitrary commands?"

So how is your attack looking like? Details please.
HugoHiaslAuthor Commented:
Ok..  I am more interested in the overall-scenario.

But in the terms that you like...

How to prevent being attacked when the users use a hacked usb stick or another hacked usb device.

My view is less how I could protect our users. My point of view is if it is possible to create a piece of software that will prevent all windows users from being attacked by this attack style because the consens at the moment is that it is not possible to protect yourself against this kind of attack.
To respond to an attack, you need a scenario. So you seem to have watched a film where those devices enable an attacker to gain control of a computer that is unlocked, I guess? And what he does is simply plug in his manipulated device and that device starts executing commands in the name of the user that is logged on (probably an administrator). These commands may lead to downloads of malware and data theft and so on. Well why don't you say so in the first place? ;-)

These devices do no magic, they don't do privilege escalations - so normally, they will only be able to do what the user is able to do. If you leave your computer unlocked and unattended, I, the attacker, can do just the same manually. Those devices do it much quicker, that's all. So if you are afraid that the users leave their computers unattended, then simply prohibit to leave workspaces unattended and unlocked at any time. Sounds foolish? Well that's how it is. Those devices mostly do nothing else but use what the user can already do himself. So if you enable the user to get to data that is company critical, you now have just one more reason to deploy some sort of device control that works with whitelists of known devices. That's the best you can do.

My questions about your scenario arose because you seem to have a scenario in mind - you even have an app in mind against it. But if this app will ask "some HID device is connecting - continue?" who is it asking? The user? The user that voluntarily plugged in that device? No...
Or are you afraid of someone plugging in a device while the machine is unattended, then the device is doing some magic and infections and later he harvests the data that is now downloaded right onto the manipulated device? Well that's how many device control softwares already work, they block everything by default but whitelisted devices. Then if a new device comes they give the user some button to press and ask for a blocking exception that would be logged and need to be confirmed by an admin. Why not use that? Kaspersky's AV does this for example.
HugoHiaslAuthor Commented:
Yes it is asking the user that plugged it in.

If plugged in when unattended, then it should be locked. So no problem.

But if the user intentionally plugs in a Memory-Stick and wants to copy files from and to the stick, the machine is unlocked and he has probably admin-privileges on the machine.

In this case the popup would tell the user "some HID device is connecting - continue". At this moment the user knows that something is wrong. He will click "disable the HID device" or will immediately remove the malicious USB device.

Lets think about a Goerge Orwell Scenario. Any secret service of any country manufactures cheap memory stick with this hack in the USB device firmware. This secret service could get ALL information of any computer that once get a device of this type plugged in.  In combination with virus attack-downloads that will additionally be able to infect any file on the system, this is a huge and mighty threat.

Which device management software could handle this? This would probably be the solution that I am looking for.
You read my comment to the end? Kaspersky's AV does that.
Also I once wrote a script that disables USB mass storage devices if they are plugged in and their ID is not on a whitelist that I maintained - but the device would install and "live" for a fraction of a second until my script uninstalls it. It was done through  event triggered tasks. but this fraction of a second could already be to long if we are paranoid.
HugoHiaslAuthor Commented:
Thanks for those detailed information.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.